In March 2006, the the Defense Information Systems Agency hired BAE Systems to supply an automated, Host-Based Security System to the entire Defense Department.
DISA’s goal for the program is to “provide network administrators and security personnel with mechanisms to prevent, detect, track, report, and remediate malicious computer-related activities and incidents across all DoD networks and information systems.“
Full-scale deployment of what is now widely known as HBSS began in 2007. It requires HBSS software to be installed on every host — i.e., server, desktop or laptop — in DoD. Tremendous progress has been made on this massive deployment on the NIPRNet, now known as the Sensitive but Unclassified Internet Protocol Router Network. In 2009, a contract for implementation on SIPRNet, the secret data network, was awarded.
HBSS security solutions are “agent-based.” An agent is a computer program that works toward a specific goal without continuous, direct supervision. Agent-based security solutions require software to be installed on each device. By contrast, “agentless” security solutions are network-based. Typically, they operate using a central server and they scan assets to collect data on security conditions.
At the time the HBSS program was conceived, a wide range of critical security functions could only be supplied by agents. DISA had expansive plans for HBSS to serve as an extensible platform — meaning one that would be capable of managing not just the original set of agents, but also new agents that would be added to address future threats. However, both the technology and the operating environment have changed.
While DISA shows no signs of abandoning its agent-based HBSS approach, the agency is beginning to place greater emphasis on agentless solutions for certain security functions. DISA is evaluating a major investment in an agentless network security solution, and security officials at other DoD installations are looking for supplemental and even replacement technologies for what have traditionally been agent-supplied functions.
In short, we are seeing a dramatic increase in interest in agentless solutions from these installations, even when those solutions overlap with the functions HBSS and other agents provide. This shift is mirrored across the civilian market, financial markets and other sectors that previously invested heavily in agent-based security solutions. For security functions like asset discovery, compliance auditing, configuration auditing and file integrity monitoring, agentless solutions are beginning to dominate the request-for-proposal selection criteria, which bodes well for organizations that must guard against increasing risk in a more austere budgetary environment.
Why the shift? After all, there are a number of established security functions that simply have to be accomplished using agents. For example, antivirus and patching are both functions that can’t be achieved without having an active presence on the device. In the past, other common host-based services included intrusion prevention, vulnerability management, policy auditing, change monitoring, asset discovery and data loss prevention. However, agent-based solutions have always suffered from somewidely recognized drawbacks:
To install an agent-based system, every device to be managed must be touched, resulting in lengthy installation and deployment periods and high labor costs.
Agents typically require root or administrator privileges to operate.
A distinct agent must be written and maintained for each operating system supported. For this reason, agents tend to be expensive and have high operational costs.
Some devices that need to be defended and audited/monitored/assessed cannot accept an agent, including firewalls, routers, switches, printers, IP phones, etc.
Agents consume resources on the host device and can sometimes cause conflicts with mission functions or with other agents on the host.
The presence of an agent creates a new target surface for an attacker, especially because the agent typically has privileged access to the device.
Agents can fall out of communication or fail to install properly.
For all of these reasons, the deployment of agents is a process prone to turf wars because system owners sometimes resist implementation.
Agentless solutions, because they are network-based, are less expensive to install and maintain, and much faster to deploy, requiring hours instead of months, in some cases. Fans of agentless solutions promote their ease of implementation and maintenance, their scalability and the broader coverage of devices that these solutions offer.
But fans of agents would highlight their ability to respond instantly to a threat condition and to make changes to the host computer when needed. The fact that the agent is “right there” on the host implies greater access and knowledge of configuration settings. Until recently, that has been a compelling factor in the selection of an agent-approach for functions like configuration auditing or file-integrity monitoring.
Changes in the operating environments and advances in technology are driving a fresh look at these historical divisions, however. The government-wide push for continuous monitoring of assets, vulnerabilities and configurations is extending the agent/agentless dialogue to a broader audience, and new capabilities are causing even hardened agent advocates to rethink their preconceptions.
Advancements in recent years are moving agentless solutions to the foreground, particularly in the areas of network discovery, vulnerability management and even configuration auditing. These are the — the same specific functions the Obama Aadministration and the Defense Department DoD are highlighting for continuous monitoring. Some of the key advances include:
New techniques for discovering and profiling assets allow agentless technologies to collect and manage information about a vastly wider array of devices: firewalls, routers, switches, printers, IP phones, even IP-enabled video cameras. Anything on the network can represent a risk, so every device must be detected and profiled if it is to be managed and secured.
Advances in centralized identity management, enabled by products like Windows Active Directory and other single-sign-on solutions, allow administrators to create very fine-grained, limited privilege accounts such as those with read-only and limited access sufficient for assessing device configuration. The solution administrator can centrally consolidate these accounts and strictly limit access to security and audit functions like agentless vulnerability scanning and configuration auditing. With this access, agentless tools can capture rich detail about all applications and configuration settings on a system without affecting the integrity of the system, consuming system resources or creating conflicts with other processes.
Advances in scanning technology have yielded new data collection methodologies so that agentless solutions can collect this data in such a gentle fashion that even industrial control systems and other sensitive devices may be remotely assessed without interfering with mission functions. Even change monitoring, policy compliance auditing, software whitelisting and file integrity monitoring — all functions that previously demanded the use of an agent — can now be achieved with a centralized, network-based model.
As a result of these advances, agentless network security solutions now deliver functions that previously required an agent. These include critical aspects of the continuous monitoring initiatives emerging from the White House Office of Management and Budget and the Defense Department, including configuration auditing.
For organizations straining to cope with new requirements, more assets, evolving threats, fewer human resources and smaller budgets, this is very good news. For example, agentless configuration auditing solutions are now available that:
Typically install in hours and usually generate fewer turf battles.
Cover an entire organization and every IP-enabled device present on a network and identify a much broader set of devices on the network.
Can’t be disabled by users.
Consume negligible resources on the hosts for a brief period during a scan.
Provide file integrity monitoring.
Are easier to maintain, requiring updates on only one or a few systems.
Scale readily with minimal or no additional effort or resources, providing tremendous advantage to large or dynamic organizations.
From a budgetary and time-to-value perspective, this offers a tremendous contrast with current agent-based options offering the same function.
The passionate nature of the agent versus agentless debate can take on the character and intensity of a religious war in some organizations. As is so often the case, there is plenty to be said for both approaches. Both classes of solutions are needed to proactively address today’s security challenges.
There will always be security functions that require a presence on the device. However, from a budgetary perspective, and especially for large organizations, agentless solutions are vastly superior when they can meet the requirement — and the range of requirements they can meet has grown markedly in recent years.
Whether and how the Defense Department’s massive investment in the agent-based HBSS approach will be changed is unclear. But there is no doubt that in the years ahead, agentless network security will play a larger role within the department, just as it is beginning to do in the civilian and commercial worlds.
Keren W. Cummins is director of federal markets for nCircle, a San Francisco-based company that provides information security tools to industry and government customers.